New Threats to Asus Routers, few details.

[L&LD]

Chinese state hackers infect critical infrastructure throughout the US and Guam

Group uses living-off-the-land attack and infected routers to remain undetected.

arstechnica.com

 

[maxbraketorque]

Always interesting to hear about these events. There didn't seem to be any explicit mention of the means of gaining access to SOHO routers, but they did imply http and ssh via the internet. The recent issue with asd may suggest that ASUS has been aware of the issue and was attempting to harden their routers. I suspect that Merlin knows a bit, but perhaps can't say anything.

 

[keefrto]

So is there anything we can do at a local level?

 

[drinkingbird]

So is there anything we can do at a local level?

Set a strong username and password, and disable all web access (SSH and HTTP/HTTPS). Make sure you have the latest firmware. If you suspect there is any chance you may have been infected (i.e. you had web access enabled), hard factory reset the router (hold WPS button while booting on most models, but you can look up the process for your model) and configure by hand, not from a backup. This is about all you can do, it may not be 100% guarantee but is good practice regardless.

In fact it would be best to factory reset, configure just enough to get in, upgrade firmware, factory reset again, and then configure everything by hand.

The hard factory reset formats the jffs partition. where holding the reset button does not, so you want to do the hard version as JFFS is where malware gets stored. If you are running merlin, you can be extra sure by doing all of the above but be fore reconfiguring after the second reset, check off "format jffs at next boot" and reboot. Then reconfigure. So you're formatting JFFS twice just to be extra sure.

If you don't have reason to believe you've been exposed to anything you can just make sure all WAN access is disabled and you have a strong password.

 

[keefrto]

Set a strong username and password, and disable all web access (SSH and HTTP/HTTPS). Make sure you have the latest firmware. If you suspect there is any chance you may have been infected (i.e. you had web access enabled), hard factory reset the router (hold WPS button while booting on most models, but you can look up the process for your model) and configure by hand, not from a backup. This is about all you can do, it may not be 100% guarantee but is good practice regardless.

In fact it would be best to factory reset, configure just enough to get in, upgrade firmware, factory reset again, and then configure everything by hand.

The hard factory reset formats the jffs partition. where holding the reset button does not, so you want to do the hard version as JFFS is where malware gets stored. If you are running merlin, you can be extra sure by doing all of the above but be fore reconfiguring after the second reset, check off "format jffs at next boot" and reboot. Then reconfigure. So you're formatting JFFS twice just to be extra sure.

If you don't have reason to believe you've been exposed to anything you can just make sure all WAN access is disabled and you have a strong password.

Hi and thank you. When you say disable wan access?

 

[maxbraketorque]

Hi and thank you. When you say disable wan access?

He means don't open SSH or HTTP/HTTPS to the internet. There is an option to allow this in the "System" tab of the Administration section of the firmware. ASUS uses the term "WAN" (wide area network) for internet.

 

[Wallace_n_Gromit]

Hi and thank you. When you say disable wan access?

I believe it should be disabled [No] by default.

 

[keefrto]

Yup that's what i have already. #phew

 

[drinkingbird]

Yup that's what i have already. #phew

On the same screen, above that under SSH make sure it says "LAN Only" (or No if you don't use it at all).

 

[sfx2000]

He means don't open SSH or HTTP/HTTPS to the internet. There is an option to allow this in the "System" tab of the Administration section of the firmware. ASUS uses the term "WAN" (wide area network) for internet.

Wasn't there a thing where if folks use the mobile App it would enable HTTP/HTTPS on the WAN interface?

 

[Tech9]

Wasn't there a thing where if folks use the mobile App it would enable HTTP/HTTPS on the WAN interface?

Yes. It asks if you want remote access. Asus is pretty confident opening access to WAN is okay. Millions of users have it enabled, I guess.

 

[keefrto]

So my local configuration shows both, then the https Lan port with a number then below that enable wan acess yes, are we good or no? I do have the mobile app. Under enable ssh I have Lan only

 

[Tech9]

below that enable wan acess yes

I'm good with your access to WAN enabled.

 

[keefrto]

I'm good with your access to WAN enabled.

Hmmmm I never you when you are being serious or kidding mate 🤔

 

[keefrto]

What am I missing then?

 

[keefrto]

I ditched the wan access which the app needed to work as the protection scanner said it was a risk. Happier

 

[Piotrek]

I ditched the wan access which the app needed to work as the protection scanner said it was a risk. Happier

I recommend everyone to the settings on their routers (there is also information about WAN access and app).

Router Security

Router Security Home Page

routersecurity.org

 

[drinkingbird]

So my local configuration shows both, then the https Lan port with a number then below that enable wan acess yes, are we good or no? I do have the mobile app. Under enable ssh I have Lan only

In a post right above you said it was set to "no"?

 

[maxbraketorque]

Hmmmm I never you when you are being serious or kidding mate 🤔

He's kidding. Disable WAN access.

 

[keefrto]

He's kidding. Disable WAN access.

Indeed I did